Java bug CVE-2012-4681

There seems to be a nasty bug out there in some implementations of Java 7, including IcedTea7 and OpenJDK7. The bug is very public and being actively abused to circumvent security restrictions. Please upgrade to IcedTea 2.3.1 or build your packages using the patch as discussed on the OpenJDK mailinglists.

Note that if you are using the icedtea-web applet viewer then you are not directly vulnerable to the exploits as currently out there in the wild since those try to disable the SecurityManager completely and icedtea-web doesn’t allow that (some proprietary applet plugins do allow that though). But there are other ways to abuse this bug to circumvent security restrictions in a more subtle way, so patching is still very recommended.

classpath/icedtea server updates

Some classpath/icedtea servers changed networks/ip addresses on Sunday. Changes should propagate through DNS on Monday. This can cause connection errors to, (buildbot and jenkins) and (hg backups). Apologies for the late notice.

Justice – APIs are not subject to copyright protection

anyone is free under the Copyright Act to write his or her own code to carry out exactly the same function or specification of any methods used in the Java API

More on Groklaw.

Pull user-space probe instrumentation

commit 654443e20dfc0617231f28a07c96a979ee1a0239
Merge: 2c01e7b 9cba26e
Author: Linus Torvalds 
Date:   Thu May 24 11:39:34 2012 -0700

    Merge branch 'perf-uprobes-for-linus' of git://
    Pull user-space probe instrumentation from Ingo Molnar:
     "The uprobes code originates from SystemTap and has been used for years
      in Fedora and RHEL kernels.  This version is much rewritten, reviews
      from PeterZ, Oleg and myself shaped the end result.
      This tree includes uprobes support in 'perf probe' - but SystemTap
      (and other tools) can take advantage of user probe points as well.
      Sample usage of uprobes via perf, for example to profile malloc()
      calls without modifying user-space binaries.
      First boot a new kernel with CONFIG_UPROBE_EVENT=y enabled.
      If you don't know which function you want to probe you can pick one
      from 'perf top' or can get a list all functions that can be probed
      within libc (binaries can be specified as well):
    	$ perf probe -F -x /lib/
      To probe libc's malloc():
    	$ perf probe -x /lib64/ malloc
    	Added new event:
    	probe_libc:malloc    (on 0x7eac0)
      You can now use it in all perf tools, such as:
    	perf record -e probe_libc:malloc -aR sleep 1
      Make use of it to create a call graph (as the flat profile is going to
      look very boring):
    	$ perf record -e probe_libc:malloc -gR make
    	[ perf record: Woken up 173 times to write data ]
    	[ perf record: Captured and wrote 44.190 MB (~1930712
    	$ perf report | less
    	  32.03%            git   [.] malloc
    	                    --- malloc
    	  29.49%            cc1   [.] malloc
    	                    --- malloc
    	                       |--0.95%-- 0x208eb1000000000
    	                       |--0.63%-- htab_traverse_noresize
    	  11.04%             as   [.] malloc
    	                     --- malloc
    	   7.15%             ld   [.] malloc
    	                     --- malloc
    	   5.07%             sh   [.] malloc
    	                     --- malloc
    	   4.99%  python-config   [.] malloc
    	          --- malloc
    	   4.54%           make   [.] malloc
    	                   --- malloc
    	                      |--7.34%-- glob
    	                      |          |
    	                      |          |--93.18%-- 0x41588f
    	                      |          |
    	                      |           --6.82%-- glob
    	                      |                     0x41588f
    	$ perf report -g flat | less
    	# Overhead        Command  Shared Object      Symbol
    	# ........  .............  .............  ..........
    	  32.03%            git   [.] malloc
    	  29.49%            cc1   [.] malloc
    	  11.04%             as   [.] malloc
    	   7.15%             ld   [.] malloc
      The core uprobes design is fairly straightforward: uprobes probe
      points register themselves at (inode:offset) addresses of
      libraries/binaries, after which all existing (or new) vmas that map
      that address will have a software breakpoint injected at that address.
      vmas are COW-ed to preserve original content.  The probe points are
      kept in an rbtree.
      If user-space executes the probed inode:offset instruction address
      then an event is generated which can be recovered from the regular
      perf event channels and mmap-ed ring-buffer.
      Multiple probes at the same address are supported, they create a
      dynamic callback list of event consumers.
      The basic model is further complicated by the XOL speedup: the
      original instruction that is probed is copied (in an architecture
      specific fashion) and executed out of line when the probe triggers.
      The XOL area is a single vma per process, with a fixed number of
      entries (which limits probe execution parallelism).
      The API: uprobes are installed/removed via
      /sys/kernel/debug/tracing/uprobe_events, the API is integrated to
      align with the kprobes interface as much as possible, but is separate
      to it.
      Injecting a probe point is privileged operation, which can be relaxed
      by setting perf_paranoid to -1.
      You can use multiple probes as well and mix them with kprobes and
      regular PMU events or tracepoints, when instrumenting a task."
    Fix up trivial conflicts in mm/memory.c due to previous cleanup of
    * 'perf-uprobes-for-linus' of git:// (21 commits)
      perf probe: Detect probe target when m/x options are absent
      perf probe: Provide perf interface for uprobes
      tracing: Fix kconfig warning due to a typo
      tracing: Provide trace events interface for uprobes
      tracing: Extract out common code for kprobes/uprobes trace events
      tracing: Modify is_delete, is_return from int to bool
      uprobes/core: Decrement uprobe count before the pages are unmapped
      uprobes/core: Make background page replacement logic account for rss_stat counters
      uprobes/core: Optimize probe hits with the help of a counter
      uprobes/core: Allocate XOL slots for uprobes use
      uprobes/core: Handle breakpoint and singlestep exceptions
      uprobes/core: Rename bkpt to swbp
      uprobes/core: Make order of function parameters consistent across functions
      uprobes/core: Make macro names consistent
      uprobes: Update copyright notices
      uprobes/core: Move insn to arch specific structure
      uprobes/core: Remove uprobe_opcode_sz
      uprobes/core: Make instruction tables volatile
      uprobes: Move to kernel/events/
      uprobes/core: Clean up, refactor and improve the code

FSF statement on jury’s partial verdict in Oracle v Google

Were it grounded in reality, Oracle’s claim that copyright law gives them proprietary control over any software that uses a particular functional API would be terrible for free software and programmers everywhere. It is an unethical and greedy interpretation created with the express purpose of subjugating as many computer users as possible, and is particularly bad in this context because it comes at a time when the sun has barely set on the free software community’s celebration of Java as a language newly suitable for use in the free world. Fortunately, the claim is not yet reality, and we hope Judge Alsup will keep it that way.

John Sullivan, executive director of the Free Software Foundation

GNU Classpath, What is Java?

Funny to see Tap the Waterdroplet (the GNU Classpath mascot) used in court to explain what Java is:
GNU Classpath, What is Java?
Tap makes a couple more cameo appearances in the documents. It is a fun read.

Automagically merging ChangeLog files with mercurial or git

When a project keeps a GNU style ChangeLog file to keep track of who changed what where then those files can be automagically merged if you use mercurial or git.

gnulib contains a module git-merge-changelog which, despite the name, works perfectly with several version control systems.

To install it:

git clone git://
cd gnulib
./gnulib-tool --create-testdir --dir=/tmp/testdir123 git-merge-changelog
cd /tmp/testdir123
make install


For Mercurial add the following lines to your ~/.hgrc:

ChangeLog = git-merge-changelog

git-merge-changelog.executable = /usr/local/bin/git-merge-changelog
git-merge-changelog.args = $base $local $other

That installs the git-merge-changelog driver globally for all hg repos.


For git add the following lines to your ~/.gitconfig

[merge "merge-changelog"]
	name = GNU-style ChangeLog merge driver
	driver = /usr/local/bin/git-merge-changelog %O %A %B

    attributesfile = ~/.gitattributes

And add the following line to ~/.gitattributes

ChangeLog       merge=merge-changelog

Note: The global core.attributesfile exists only since git 1.7.4, before that you would have to configure this for each git repo separately, by doing:

cd ~/src/[repo-name]
echo "ChangeLog   merge=merge-changelog" >> .git/info/attributes

And never worry again about having to manually merge ChangeLog files.

IcedTea and OpenJDK now part of OIN

The Open Invention Network patent agreement now also covers IcedTea and OpenJDK (see the new System Environment Components list). The covered version of GCC/GNU Classpath/libgcj have been updated to the latest release and various GNU Classpath[X] components have been added. As have the Eclipse SDK and ECJ. This is good news since that means the various companies which are part of OIN (Red Hat, IBM, Oracle, Google, Sony, Philips, Novell etc.) have agreed to patent cross-license and release from claims of patent infringement each other and everybody who joins OIN and agrees to collaborate in the same way around GNU/Linux and the various implementations of the java programming language.

503: Service Unavailable

Planet Classpath is offline today, because the US congress is considering legislation that could kill us forever. The legislation is called the PROTECT IP Act (PIPA). This legislation threatens everyone’s freedom of speech, privacy, and security online.

This would unmake the Web, just as proposed in the Stop Online Piracy Act (SOPA). We don’t want that world. Visit for some options to contact your representatives if you are an American citizen. The Electronic Frontier Foundation has more information on this and other issues central to your freedom online.

We will return tomorrow,

The Management

Free Java @ FOSDEM 2012 (CFP deadline end this year!)

The end of 2011 is near.
The Free Java Momentum will be even bigger in 2012.
Have you made your new year’s resolutions yet?
And is attending Free Java @ FOSDEM 2012 on Feb 4 and 5 one of them?

Or are you even more ambitious and will you submit a talk proposal?
Then please make sure you submit an abstract before the end of the year
to Full instructions can be found at: